diff --git a/refpolicy/policy/modules/services/nscd.if b/refpolicy/policy/modules/services/nscd.if index 4c858a8..d53878a 100644 --- a/refpolicy/policy/modules/services/nscd.if +++ b/refpolicy/policy/modules/services/nscd.if @@ -97,6 +97,26 @@ interface(`nscd_use_shared_mem',` ######################################## ## +## Read NSCD pid file. +## +## +## Domain allowed access. +## +# +interface(`nscd_read_pid',` + gen_require(` + type nscd_var_run_t; + class dir search; + class file { getattr read }; + ') + + files_search_pids($1) + allow $1 nscd_var_run_t:dir search; + allow $1 nscd_var_run_t:file { getattr read }; +') + +######################################## +## ## Unconfined access to NSCD services. ## ## diff --git a/refpolicy/policy/modules/services/nscd.te b/refpolicy/policy/modules/services/nscd.te index 4b04a58..792d14a 100644 --- a/refpolicy/policy/modules/services/nscd.te +++ b/refpolicy/policy/modules/services/nscd.te @@ -37,7 +37,7 @@ allow nscd_t self:nscd { admin getstat }; allow nscd_t nscd_var_run_t:file create_file_perms; allow nscd_t nscd_var_run_t:sock_file create_file_perms; -files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file}) +files_create_pid(nscd_t,nscd_var_run_t,{ file sock_file }) kernel_read_kernel_sysctl(nscd_t) kernel_list_proc(nscd_t) diff --git a/refpolicy/policy/modules/system/authlogin.te b/refpolicy/policy/modules/system/authlogin.te index 29f071a..bbab98b 100644 --- a/refpolicy/policy/modules/system/authlogin.te +++ b/refpolicy/policy/modules/system/authlogin.te @@ -181,6 +181,8 @@ domain_use_wide_inherit_fd(pam_console_t) files_read_etc_files(pam_console_t) files_search_pids(pam_console_t) files_list_mnt(pam_console_t) +# read /etc/mtab +files_read_etc_runtime_files(pam_console_t) init_use_fd(pam_console_t) init_use_script_pty(pam_console_t) diff --git a/refpolicy/policy/modules/system/modutils.te b/refpolicy/policy/modules/system/modutils.te index 7c99985..1196611 100644 --- a/refpolicy/policy/modules/system/modutils.te +++ b/refpolicy/policy/modules/system/modutils.te @@ -107,7 +107,7 @@ ifdef(`hide_broken_symptoms',` dev_dontaudit_rw_cardmgr(insmod_t) ') -ifdef(`tunable_policy',` +ifdef(`targeted_policy',` unconfined_domain_template(insmod_t) ') diff --git a/refpolicy/policy/modules/system/sysnetwork.te b/refpolicy/policy/modules/system/sysnetwork.te index 31b6588..5dbd0f1 100644 --- a/refpolicy/policy/modules/system/sysnetwork.te +++ b/refpolicy/policy/modules/system/sysnetwork.te @@ -56,7 +56,7 @@ allow dhcpc_t dhcp_etc_t:dir r_dir_perms; allow dhcpc_t dhcp_etc_t:lnk_file r_file_perms; allow dhcpc_t dhcp_etc_t:file { r_file_perms execute execute_no_trans }; -allow dhcpc_t dhcpc_state_t:dir rw_dir_perms; +allow dhcpc_t dhcp_state_t:dir rw_dir_perms; allow dhcpc_t dhcpc_state_t:file create_file_perms; type_transition dhcpc_t dhcp_state_t:file dhcpc_state_t; @@ -181,6 +181,7 @@ optional_policy(`nis.te',` optional_policy(`nscd.te',` nscd_domtrans(dhcpc_t) + nscd_read_pid(dhcpc_t) ') optional_policy(`ntpd.te',`